Show Menu

nmap cheatsheet Cheat Sheet by

Nmap CheatSheet
security     nmap     hacking

Basic Scanning with Nmap

Scan a single target
nmap [target]
Scan multiple targets
nmap [targe­t1,­tar­get­2,etc]
Scan a list of targets
nmap -iL [hackl­ist.txt]
Scan a range of hosts
nmap [range of IP addresses]
Scan an entire subnet
nmap [IP addres­s/cdir]
Scan random hosts
nmap -iR [number]
Excl­uding targets from a scan
nmap [targets] –exclude [targets]
Excl­uding targets using a list
nmap [targets] –exclu­defile [list.txt]
Perform an aggressive scan
nmap -A [target]
Scan an IPv6 target
nmap -6 [target]

Output Options

Save output to a text file
nmap -oN [scan.txt] [target]
Save output to a xml file
nmap -oX [scan.xml] [target]
Grepable output
nmap -oG [scan.txt] [target]
Output all supported file types
nmap -oA [path/­fil­ename] [target]
Period­ically display statistics
nmap –stats­-every [time] [target]
133t output
nmap -oS [scan.txt] [target]

Nmap Scripting Engine

Execute individual scripts
nmap –script [scrip­t.nse] [target]

Execute multiple scripts
nmap –script [expre­ssion] [target]

Execute scripts by category
nmap –script [cat] [target]

Execute multiple scripts catego­ries
nmap –script [cat1,­cat2, etc]

Trou­ble­shoot scripts
nmap –script [script] –scrip­t-trace [target]

Update the script database
nmap –scrip­t-u­pdatedb

Script catego­ries

Version Detection with Nmap

Oper­ating system detect­ion
nmap -O [target]
Attempt to guess an unknown
nmap -O –ossca­n-guess [target]
Service version detect­ion
nmap -sV [target]
Trou­ble­sho­oting version scans
nmap -sV –versi­on-­trace [target]
Perform a RPC scan
nmap -sR [target]

Firewall Evasion Techniques with Nmap

Fragment packets
nmap -f [target]
Specify a specific MTU
nm ap –mtu [MTU] [target]
Use a decoy
nmap -D RND: [number] [target]
Idle zombie scan
nmap -sI [zombie] [target]
Manually specify a source port
nmap –sourc­e-port [port] [target]
Append random data
nmap –data-­length [size] [target]
Rand­omize target scan order
nmap –rando­miz­e-hosts [target]
Spoof MAC Address
nmap –spoof-mac [MAC|0­|ve­ndor] [target]
Send bad checks­ums
nmap –badsum [target]


Comparison using Ndiff
ndiff [scan1.xml] [scan2.xml]
Ndiff verbose mode
ndiff -v [scan1.xml] [scan2.xml]
XML output mode
ndiff –xml [scan1.xm] [scan2.xml]

About me

Job Profile
Security Researcher & Developers

Nmap Discovery Options

Perform a ping scan only
nmap -sP [target]
Don’t ping
nmap -PN [target]
nmap -PS [target]
TCP ACK ping
nmap -PA [target]
UDP ping
nmap -PU [target]
SCTP Init Ping
nmap -PY [target]
ICMP echo ping
nmap -PE [target]
ICMP Timestamp ping
nmap -PP [target]
ICMP address mask ping
nmap -PM [target]
IP protocol ping
nmap -PO [target]
ARP ping
nmap -PR [target]
nmap –trace­route [target]
Force reverse DNS resolu­tion
nmap -R [target]
Disable reverse DNS resolu­tion
nmap -n [target]
Alte­rnative DNS lookup
nmap –syste­m-dns [target]
Manually specify DNS servers
nmap –dns-s­ervers [servers] [target]
Create a host list
nmap -sL [targets]

Download the nmap cheatsheet Cheat Sheet

2 Pages

PDF (recommended)

Alternative Downloads

Share This Cheat Sheet!

Like this cheat sheet? Check out our sponsors! is a collection of tools to make your writing better. More readable content means higher conversion rates and better reader engagement. Measure website and document readability, measure keyword density and more!

Click Here To Get Started!



acheng acheng, 11:05 2 May 16

For the version I'm using (nmap 7.0), ping scan changed from -sP to -sn

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets